Legal claims defining the scope of protection, as filed with the USPTO.
1. A method of preventing an attack on a network, wherein the attack comprises sending one or more spurious transmission control protocol (TCP) segments with a Reset (RST) bit set, the method comprising the computer-implemented steps of: receiving, from a remote end node, a TCP segment in which a RST bit is set, as part of an established TCP connection; in response to receiving the TCP segment, determining whether the TCP segment is a spurious TCP segment of the one or more spurious TCP segments by determining whether the TCP segment contains valid authentication information, wherein the authentication information is in a payload of the TCP segment; accepting the TCP segment and closing the TCP connection only when the authentication information is valid.
2. The method as recited in claim 1 , wherein the determining step comprises determining whether both a sender Initial Sequence Number (ISN) value and a receiver ISN value in the payload of the TCP Control Block (TCB) that is maintained by a receiving process.
3. The method as recited in claim 1 , wherein the determining step comprises determining whether a TCP header and options values in the payload of the TCP segment match corresponding TCP header and options values that are stored in a TCP Control Block (TCB) that is maintained by a receiving process.
4. The method as recited in claim 1 , wherein the authentication information comprises a reset type value, a sender Initial Sequence Number (ISN) value and a receiver ISN value in the payload of the TCP segment.
5. The method as recited in claim 1 , wherein the authentication information comprises a reset type value, a TCP header and options values in the payload of the TCP segment.
6. The method as recited in any of claims 1 , 2 , 3 , 4 , or 5 , further comprising the steps of: determining that the authentication information is invalid or missing; dropping the TCP segment without notifying a sending node that dropping occurred.
7. The method as recited in claim 6 , further comprising the step of creating and storing a log entry indicating that a possible spoofed RST segment was received.
8. The method as recited in claim 6 , further comprising the step of generating a notification message indicating that a possible spoofed RST segment was received.
9. The method as recited in claim 1 , further comprising the steps of: determining whether a sequence value in the segment is within a range of allowed sequence values; and accepting the TCP segment and closing the TCP connection only when the authentication information is valid and when the sequence value is within the range of allowed sequence values.
10. The method as recited in claim 1 , further comprising the steps of: determining whether a sequence value in the segment is exactly equal to an expected segment sequence value; and accepting the TCP segment and closing the TCP connection only when the authentication information is valid and when the sequence value is equal to the expected sequence value.
11. An apparatus for preventing an attack on a network, wherein the attack comprises sending one or more spurious transmission control protocol (TCP) segments with a Reset (RST) bit set, comprising: means for receiving, from a remote end node, a TCP segment in which a RST bit is set, as part of an established TCP connection; means for determining whether the TCP segment is a spurious TCP segment of the one or more spurious TCP segments by determining whether the TCP segment contains valid authentication information in response to receiving the TCP segment, wherein the authentication information is in a payload of the TCP segment; means for accepting the TCP segment and closing the TCP connection only when the authentication information is valid.
12. An apparatus for preventing an attack on a network, wherein the attack comprises sending one or more spurious transmission control protocol (TCP) segments with a Reset (RST) bit set, comprising: a processor; one or more stored sequences of instructions that are accessible to the processor and which, when executed by the processor, cause the processor to carry out the steps of: receiving, from a remote end node, a TCP segment in which a RST bit is set, as part of an established TCP connection; in response to receiving the TCP segment, determining whether the TCP segment is a spurious TCP segment of the one or more spurious TCP segments by determining whether the TCP segment contains valid authentication information, wherein the authentication information is in a payload of the TCP segment; accepting the TCP segment and closing the TCP connection only when the authentication information is valid.
13. A computer-readable storage medium storing one or more sequences of instructions for preventing an attack on a network, wherein the computer-readable storage medium is one of a volatile or non-volatile medium, wherein the attack comprises sending one or more spurious transmission control protocol (TCP) segments with a Reset (RST) bit set, wherein the execution of the one or more sequences of instructions by one or more processors causes the one or more processors to perform the steps of: receiving, from a remote end node, a TCP segment in which a RST bit is set, as part of an established TCP connection; in response to receiving the TCP segment, determining whether the TCP segment is a spurious TCP segment of the one or more spurious TCP segments by determining whether the TCP segment contains valid authentication information, wherein the authentication information is in a payload of the TCP segment; accepting the TCP segment and closing the TCP connection only when the authentication information is valid.
14. The apparatus as recited in claim 11 , wherein the means for determining step comprises means for determining whether both a sender Initial Sequence Number (ISN) value and a receiver ISN value in the payload of the TCP segment match corresponding ISN values that are stored in a TCP Control Block (TCB) that is maintained by a receiving process.
15. The apparatus as recited in claim 11 , wherein the means for determining step comprises means for determining whether a TCP header and options values in the payload of the TCP segment match corresponding TCP header and options values that are stored in a TCP Control Block (TCB) that is maintained by a receiving process.
16. The apparatus as recited in claim 11 , wherein the authentication information comprises a reset type value, a sender Initial Sequence Number (ISN) value and a receiver ISN value in the payload of the TCP segment.
17. The apparatus as recited in claim 11 , wherein the authentication information comprises a reset type value, a TCP header and options values in the payload of the TCP segment.
18. The apparatus as recited in claim 12 , wherein the determining step includes determining whether both a sender Initial Sequence Number (ISN) value and a receiver ISN value in the payload of the TCP segment match corresponding ISN values that are stored in a TCP Control Block (TCB) that is maintained by a receiving process.
19. The apparatus as recited in claim 12 , wherein the determining step includes determining whether a TCP header and options values in the payload of the TCP segment match corresponding TCP header and options values that are stored in a TCP Control Block (TCB) that is maintained by a receiving process.
20. The apparatus as recited in claim 12 , wherein the authentication information comprises a reset type value, a sender Initial Sequence Number (ISN) value and a receiver ISN value in the payload of the TCP segment.
21. The apparatus as recited in claim 12 , wherein the authentication information comprises a reset type value, a TCP header and options values in the payload of the TCP segment.
22. The computer-readable storage medium as recited in claim 13 , wherein the determining step comprises determining whether both a sender Initial Sequence Number (ISN) value and a receiver ISN value in the payload of the TCP segment match corresponding ISN values that are stored in a TCP Control Block (TCB) that is maintained by a receiving process.
23. The computer-readable storage medium as recited in claim 13 , wherein the determining step comprises determining whether a TCP header and options values in the payload of the TCP segment match corresponding TCP header and options values that are stored in a TCP Control Block (TCB) that is maintained by a receiving process.
24. The computer-readable storage medium as recited in claim 13 , wherein the authentication information comprises a reset type value, a sender Initial Sequence Number (ISN) value and a receiver ISN value in the payload of the TCP segment.
25. The computer-readable storage medium as recited in claim 13 , wherein the authentication information comprises a reset type value, a TCP header and options values in the payload of the TCP segment.
Unknown
December 30, 2008
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.